In-depth research on Sandworm shows broad capabilities and scope to disrupt anything from critical infrastructure to political campaigns in any part of the world.

Speakers at this year’s CyberwarCon conference dissected a new era of cyber warfare, as nation-state actors turn to a host of new advanced persistent threat (APT) strategies, tools and tactics to attack adversaries and spy on domestic dissidents and rivals. The highest profile example of this new era of nation-state digital warfare is a Russian military intelligence group called Sandworm, a mysterious hacking initiative about which little has been known until recently. The group has nevertheless launched some of the most destructive cyberattacks in history.

Wired journalist Andy Greenberg has just released a high-profile book about the group, which he said at the conference is an account of the first full-blown cyberwar led by these Russian attackers. He kicked off the event with a deep dive into Sandworm, providing an overview of the mostly human experiences of the group’s malicious efforts.

Sandworm first emerged in early 2014 with an attack on the Ukrainian electric grid that “was a kind of actual cyberwar in progress,” Greenberg said. The grid operators in Ukraine watched helplessly as “phantom mouse attacks” appeared on their screens while Sandworm locked them out of their systems, turned off the back up power to their control rooms, and then turned off electricity to a quarter-million Ukrainian civilians, the first ever blackout triggered by hackers.

In late 2016, Sandworm struck the Ukrainian grid again. “It was a quintessential example of a nation-state disruptive attack on an adversary in the midst of a kinetic war,” Greenberg said. If it hadn’t been for a configuration error in Sandworm’s malware, the attack could have been far more devastating. It could have burned down lines or blown up transformers, as Joe Slowik at Dragos recently discovered in his research of the incident, Greenberg pointed out.

Assume what happened in Ukraine will happen elsewhere

This was “the kind of destructive act on the power grid we've never seen before, but we've always dreaded.” Even more concerning, “what happens in Ukraine we'll assume will happen to the rest of us too because Russia is using it as a test lab for cyberwar. That cyberwar will sooner or later spill out to the West,” Greenberg said. “When you make predictions like this, you don't really want them to come true.”

Sandworm’s adversarial attacks did spill out to the West in its next big attack, the NotPetya malware, which swept across continents in June 2017 causing untold damage in Europe and the United States, but mostly in Ukraine. NotPetya, took down “300 Ukrainian companies and 22 banks, four hospitals that I'm aware of, multiple airports, pretty much every government agency. It was a kind of a carpet bombing of the Ukrainian internet, but it did immediately spread to the rest of the world fulfilling [my] prediction far more quickly than I would have ever wanted it to,” Greenberg said.

The enormous financial costs of NotPetya are still unknown, but for companies that have put a price tag on the attack, the figures are staggering. Shipping giant Maersk, which struggled for months to get back on its feet after watching all its computer screens turn “black, black, black, black, black,” in the words of one Maersk employee, pegged the price of the attack at $300 million. Drug company Merck suffered even greater consequences, with an estimated cost of the attack at $870 million. These and other known financial losses, which to date are estimated at $10 billion, should be considered a floor, a minimum measure of the impact of the consequences of NotPetya, Greenberg said, citing former US Department of Homeland Security advisor Tom Bossert.

Sandworm targets political campaigns, global events

Google security researchers Neel Mehta and Billy Leonard offered new and additional insight into Sandworm’s activities at the conference. They began digging into Sandworm around the time of the 2017 French elections, when the group started targeting Emmanuel Macron’s presidential campaign.

Before Sandworm took over the Russian-state hacking efforts, which Mehta and Leonard pinpoint to April 14, another hacking arm of Russia’s main intelligence arm, the GRU, was on the scene and also targeting Macron’s campaign. “It's almost like the B team was called to take the ball and go home and they called up the A-team,” Leonard said. “The infrastructure, the accounts, everything involved with it. Two very distinct operations.”

Then, in the fall and early winter of 2017, Sandworm pivoted to targeting South Korea and a number of organizations related to the Winter Olympics hosted in PyeongChang. At that point Sandworm began targeting Android phones in an effort to spread malware through a number of infected apps, Mehta and Leonard said.

Their tactic was to take over a number of legitimate apps that were popular in South Korea, such as a bus timetable app. They did so by downloading the legitimate app, backdooring it and then re-uploading it to the place where the legitimate version of the app should be.

Although the purpose of these Android infection attempts is unclear – Mehta and Leonard said no devices were infected by the malware – the last activity of Sandworm in South Korea was in mid-March 2017, an oddity given that the Olympics ended in February of that year.

Russian companies also a target

Sandworm took another turn, however, in the Spring of 2018 when the Google researchers saw the same malware used in domestic targeting of companies that are internal to Russia, including commercial real estate companies, financial institutions and the automotive industry. “You see this group going there, targeting the Olympics, trying to do disruptive attacks against the Olympics, [then] targeting domestic companies within Russia,” Leonard said. “That’s a fairly large shift.”

Next, in the fall of 2018 Sandworm started targeting software developers and mobile application developers, and other developers, primarily based in Ukraine. They succeeded in compromising an application developer, Mehta and Leonard said.

All countries, not just Ukraine, are extremely vulnerable to Sandworm’s attacks. Paraphrasing former NSA and CIA Director Michael Hayden, who once said “On the internet, we are all Polands,” referring to Germany’s easy invasion of the country in World War II, Greenberg said Hayden was off by a few hundred miles. “On the internet, we are all Ukraine.”